+++ This bug was initially created as a clone of Bug #864812 +++

CVE-2013-4148

Michael S. Tsirkin writes:

QEMU 1.0 integer conversion in virtio_net_load()@hw/net/virtio-net.c

>         n->mac_table.in_use = qemu_get_be32(f);

in_use is int so it can get negative when assigned 32bit unsigned value.

>         /* MAC_TABLE_ENTRIES may be different from the saved image */
>         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {

passing this check ^^^

>             qemu_get_buffer(f, n->mac_table.macs,
>                             n->mac_table.in_use * ETH_ALEN);

with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.

An user able to alter the savevm data (either on the disk or over the wire
during migration) could use this flaw to to corrupt QEMU process memory on
the (destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4148
https://bugzilla.redhat.com/show_bug.cgi?id=1066334